how to solve this npm glob-parent problem

Question

glob-parent  <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
fix available via `npm audit fix`
node_modules/watchpack-chokidar2/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/watchpack-chokidar2/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/watchpack

I just install cookie-parser to cmd. As mentioned above, there were 4 moderates. My glob-parent -v is currently 7.19.1 It doesn't work 'npm audit' and 'npm audit fix' How should I do?

Did you try npm-audit-fix like it says? – Joel Hager Jul 11 '21 at 04:01 — Joel Hager, Jul 11 '21 at 04:01
yes, I tried but it also doesn't worked – Edward Jul 11 '21 at 06:00 — Edward, Jul 11 '21 at 06:00

score 19 · Answer 1 · edited Jun 29 '22 at 20:50

19

In your package.json, add this target under scripts:

"preinstall": "npx npm-force-resolutions"

Then add this below the scripts:

"resolutions": {
   "glob-parent": "^6.0.1"
}

One thing, I don't know if any dependent packages that use an older version will break because of 6.0.1.

edited Jun 29 '22 at 20:50

Homer

7,594
14
69
109

answered Jul 22 '21 at 17:22

Fritz

343
1
10

3

Added ```"resolutions": { "glob-parent": "^6.0.1" }``` and execute ```yarn``` command solve my issue. Thank you – Abdulsamet ILERI Jul 28 '21 at 07:12
3

It doesn't work for me when I do "npm install" being the first installation. If I remove `"preinstall": "npx npm-force-resolutions"` and run npm install then I get the "glob-parent" vulnerabilities. Then, I add `"preinstall": "npx npm-force-resolutions"` and run again "npm install" and the vulnerabilities disappear. – Andrew F. Aug 24 '21 at 16:33
`npm ERR! code EINVALIDTAGNAME npm ERR! Invalid tag name "npx npm-force-resolutions" of package "preinstall@npx npm-force-resolutions": Tags may not have any characters that encodeURIComponent encodes.` – Denver Prophit Jr. May 21 '22 at 01:06
According to the owner of another package that has this as a dep, v6.0.1 doesn't have support for 2019 NodeJs. https://github.com/paulmillr/chokidar/issues/1191#issuecomment-1009063719 – sirclesam Sep 22 '22 at 03:31

score 17 · Answer 2 · answered Jul 12 '21 at 05:11

I'm the person who wrote the fix for glob-parent that landed in glob-parent@5.1.2. There are (at least) three ways to address this.

First possibility: Update from watchpack version 1 to watchpack version 2. watchpack version 2 does not depend on a vulnerable version of glob-parent. Unfortunately, there is no CHANGELOG file in the watchpack repository, so you'll have to find the relevant breaking changes some other way. Maybe if you have excellent test coverage, you can rely on that. Or if your project is relatively new, then simply building it with watchpack version 2 to begin with will be the way to go.

The second possibility is that if watchpack is a development dependency only and not something used by the user-facing part of your app, then you probably don't need to worry about this at all and can ignore the message. I don't recommend this, but I also have to admit that npm audit warnings can be a little bit boy-crying-wolf sometimes.

The third option is to patch your vulnerable glob-parent with the fix. However, you have to know what your doing (particularly how npm works) to not shoot yourself in the foot and end up undoing the fix without realizing it. So this is also not something I recommend.

If you can update watchpack to 2.x, that is the way to go.

as per https://overreacted.io/npm-audit-broken-by-design/ adding npm audit --production shows that the error is only on dev mode which is false positive error — iLyas, Dec 21 '21 at 05:14
I'm getting the glob-parent error in the production as well. — Sumit Ghewade, Aug 24 '22 at 15:45

score 14 · Answer 3 · answered Nov 09 '22 at 15:42

14

Use the following overrides and It will resolve the Issue

 "overrides": {
    "chokidar": "3.5.3",
    "glob-parent": "6.0.2"
  }

Add the above in your package.json and do npm update

answered Nov 09 '22 at 15:42

Prathamesh mhatre

1,015
5
17
32

Thank you for sharing this! I found this to be very useful and worked well for my situation. Of course, anyone using this should be mindful of what you are overriding as there could always be some side effect or potentially break other parts of your build. But this definitely worked well for my situation. Thank you again! – Mark Fasel Feb 14 '23 at 16:09
that did for me, thanks – Paulo Griiettner Mar 17 '23 at 07:22

Anton Zaloev · Answer 4 · 2023-04-01T20:46:31.137

0

Just update chokidar deps for your project

npm install chokidar@latest --save-dev

If it doesn't help, you should update glob-parent to latest version. Check version you have

npm list glob-parent

and update to latest

npm install glob-parent@latest

edited Apr 01 '23 at 20:46

answered Apr 01 '23 at 20:43

Anton Zaloev

1
2

how to solve this npm glob-parent problem

4 Answers4

Linked